Vulnerability management solution Tripwire IP360 provides visibility into your network, both on-premise and in the cloud, including all devices and their associated operating systems, applications and vulnerabilities. The Tripwire Vulnerability and Exposure Research Team (VERT) keeps Tripwire IP360 up-to-date with accurate, non-intrusive discovery signatures that are current and relevant to large organizations.
*Please note that as of 2013, Tripwire acquired nCircle and nCircle IP360 is Tripwire IP360.
To import your data from Tripwire IP360 to the Kenna.VM module, you will need to leverage the Tripwire Connector under the Vulnerability Management category on your Connectors Page.
The Connector is a full run connector, unless the scan_type is a Partial Scan. Then Kenna will pick up the full report from the partial scan and upload that data.
User Prerequisites/Connector Setup:
-
Given that connector is an API Connector the service Account you wish to leverage must have access to the Tripwire API.
-
Your service Account must also have access to all the scan data you wish to import.
- If your Tripwire scanner is on premise you will need to have the Kenna Virtual Tunnel set up prior to attempting to run the connector.
- If you do not have the Virtual Tunnel set up and your scanner is on-premise the connector will fail.
Configuring your Connector in Kenna
To set up the Connector, navigate to the Connectors tab in your Kenna deployment (you must be a Kenna Administrator to do so). On the Connectors page, select Tripwire.
Once you select the Tripwire API Connector, the following screen will appear:
-
Enter a name for the connector, or leave it as “IP360 API” if you wish.
-
Enter the Username and Password for the account, along with the Host information.
-
If your host is static, enter the IP address and the port.
-
If your host is dynamic, enter the DNS and port information.
-
-
Schedule the Connector. Select the frequency at which you’d like your Kenna Connector to run. (we recommend mirroring the cadence of your Tripwire Scans).
-
Select the “Use Kenna Virtual Tunnel” checkbox below “asset inactivity limit” if your scanner is on-premise
-
Click Save and Verify.
-
If you’d like to set a connector level asset inactivity limit, you can do that at this time, or later. (We recommend 2-3x the scan cadence of your Tripwire Scans).
What Tripwire Items does Kenna Import?
Kenna will import all of the applications associated with the user leveraged for the connector. We will pull:
Tripwire IP360 Field |
Kenna Field |
Notes |
---|---|---|
AppName or AppID |
Application Name |
|
Audit_id |
scan_type |
If the scan_type is a partial scan, Kenna will disable the auto-closing feature for vulns that do not appear in the export. For all vulns that appear in the scan we will update their status. For vulns that do not appear, we will not auto-close them. This is to prevent false auto-closures. |
Vuln > name |
Name |
|
vuln_id |
Identifier (Vulnerability) |
|
vdescription |
Description |
|
|
Vulnerability Status |
Only maps Open, Closed vulnerabilities. |
cves |
CVE |
|
port |
Ports |
|
-N/A- |
Last Seen |
Kenna does not receive an explicit last seen date. We take the date of the connector run with the vulnerability present and utilize that datestamp as the Last Seen date. |
end_date |
Found On |
|
-N/A- |
Closed |
Kenna does not receive an explicit Closed status from Tripwire. With the vulnerability export reports, any previously identified vulnerabilities that are no longer present (in a full scan) will be auto-closed as remediated. |
-N/A- |
Created |
Date the vuln was first imported to Kenna. Not mapped to a Qualys field. |
os_vendor |
OS |
If OS_Vendor hash is filled with “UNKNOWN_OS” we will remove this data and leave a null field rather than importing the asset with OS as “unknown_os” |
hostname |
hostname |
If locators hash is filled with “UNKNOWN_HOSTNAME” we will remove this data and leave a null field rather than importing the asset with hostname as “unknown_hostname” |
ip |
ip_address |
|
netbiosname |
netbios |
|
persistent_id |
External Host ID |
|
-N/A- |
Tags |
There are no tags or tag references for Tripwire |
Optional Settings
The following settings can be enabled on the backend for Tripwire Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
-
Exclude Informationals
-
When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
-
-
Skip Tags
-
This setting will allow you to NOT create any Tags within Kenna based on the scanner metadata.
-
-
Ignore Scanner Last Seen Time
-
If you do not want the asset last seen time in Kenna to be the scanner reported last seen time.
-
-
Tag Reset
-
This setting will assist in keeping your scanner metadata in sync with Kenna. Each time the connector is run, ALL tags within Kenna will be removed and the scanner tag metadata re-created.
-
If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.
-
-
Custom Ordered Locators
-
Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.
-
Common Reasons for Tripwire Connector Run Failures
- Bad Credentials
- If you enter the incorrect connector credentials during the connector setup, we will not have access to the Tripwire environment to make the API calls.
- If no reports are found we will abort the Connector run, rather than fail it outright
- If an API call fails (no data available, or other reasons)
-
Unexpected data returned
-
If Kenna receives data that is not in the expected format and we are unable to process it, the connector will fail.
-
-
If more than 1% of connector payloads fail to import cleanly, Kenna will auto-fail the Connector Run
Additional Assistance:
Please contact Kenna Support should you require any additional assistance with the Tripwire Connector.
Comments
Please sign in to leave a comment.